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TITLE OF THE INVENTION 
ENCRYPTION METHOD, DECRYPTION METHOD, 
CRYPTOGRAPHIC COMMUNICATION METHOD, 
CRYPTOGRAPHIC COMMUNICATION SYSTEM, 
5 MEMORY PRODUCT 

AND DATA SIGNAL EMBODIED IN CARRIER WAVE 

BACKGROUND OF THE INVENTION 
The present invention relates to public-key cryptosystems for 

10 transforming plaintext into ciphertext by using a public key and 
more particularly relates to product-sum type cryptosystems. 

In the present society called highly information- oriented 
society on the basis of computer networks, important business 
documents and image information are transmitted/communicated in 

15 the form of electronic information and processed. Such electronic 
information has characteristics that it can be easily copied and it is 
hard to distinguish between the copies and the original, and thus 
the problem of information security is regarded as an important 
issue. In particular, the realization of computer networks 

20 satisfying the elements "sharing computer resources", 

"multi-access", and "wide area network" is indispensable for 
establishment of the highly information-oriented society and this 
includes elements that contradict the maintenance of information 
security between the concerned parties. As the effective means for 

25 solving such controversy cryptographic techniques which have been 
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used mainly in the military and diplomatic fields in the past human 
history are attracting attentions. 

Cryptography is to transform information so that the 
meaning of the information is not understandable by parties who 
5 are not concerned. In cryptography a process of transforming the 
original text (plaintext) which is understandable by everyone into a 
text (ciphertext) whose meaning is not understandable by the third 
party is encryption, a process of returning the ciphertext into the 
plaintext is decryption, and the entire processes of encryption and 

10 decryption are called a cryptosystem. Secret information called an 
encryption key and a decryption key is respectively used in the 
encryption process and the decryption process. Since the secret 
decryption key is necessary for decryption, only the party who 
knows this decryption key can decrypt the ciphertext, and thus the 

15 secrecy of the information is maintained by encryption. 

The encryption schemes are mainly classified into two types: 
common-key cryptosystems; and public-key cryptosy stems. In the 
common-key cryptosystems, the encryption key and the decryption 
key are identical, and the sender and the receiver perform 

20 cryptographic communication by possessing the same common key. 
The sender encrypts the plaintext based on a secret common key 
and transmits the ciphertext to the receiver, while the receiver 
decrypts the ciphertext into the plaintext by using this common key. 
By contrast, in the public-key cryptosystems, the encryption 

25 key and the decryption key differ from each other, and the sender 



encrypts the plaintext with the receiver's publicized public key and 
the receiver decrypts the ciphertext by its own secret key to perform 
cryptographic communication. The public key is a key for 
encryption and the secret key is a key for decrypting ciphertext 
which was transformed by the public key and the ciphertext 
transformed by the public key can be decrypted only by the secret 
key. 

As one scheme of public-key cryptosystem, a product-sum 
type cryptosystem has been known. This is an encryption scheme 
in which one entity as the sender creates ciphertext C = mici+ m2C2 
+...+mkCkby using a plaintext vector m =(mi, m2, mk) obtained by 
dividing the plaintext into K parts and a base vector c = (ci, C2 ? 
Ck) as the public key, while the other entity as the receiver decrypts 
the ciphertext C into the plaintext vector m by using the secret key 
to obtain the original plaintext. 

Regarding such product-sum type cryptosystems using an 
operation over an integer ring, while novel schemes and attacking 
methods have been proposed one after another, there is a demand 
for particularly encryption/decryption techniques that enable 
high-speed decryption so as to process a large volume of information 
in a short time. Accordingly the present inventor et al. propose an 
encryption method and decryption method according to a 
product-sum type cryptosystem, which enable high-speed parallel 
decryption processing by using the Chinese Remainder Theorem 
(Japanese Patent Application Laid-Open No. 2000-89669). This 
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encryption method is characterized by modulo-transforming the 
components ci (i = 1, 2, K) of the base vector c based on bases Di 
which are set such that Di= d/di (where d = did2...dk) by using 
mutually prime K integers di, or based on bases Vi which are set 
5 such that Vi = (d/di)vi by using mutually prime K integers di and 
random numbers vi (gcd(di, vd = l). Thus, since the ciphertext is 
decrypted in parallel ways using the Chinese Remainder Theorem, 
it is possible to perform high-speed decryption. 

In this scheme, however, since the density is low unless the 

10 number of public keys is made extremely large, there is a problem 
that this scheme is sometimes weak against the low-density attack 
which directly finds the plaintext from the public keys and the 
ciphertext by using the LLL (Lenstra-Lenstra-Lovasz) algorithm, 
and thus there is a demand for a further improvement in its 

15 security aspect. 

BRIEF SUMMARY OF THE INVENTION 
An object of the present invention is to provide an encryption 
method and decryption method, which are invulnerable to the 
20 low-density attack and capable of improving the security, by 

improving the above-mentioned conventional examples, and also to 
provide a cryptographic communication method and cryptographic 
communication system using this encryption method, and a memory 
product/data signal embodied in carrier wave for 
25 recording/transmitting an operation program of this encryption 
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method. 

In the present invention, ciphertext is created by giving 
redundancy to plaintext, i.e., reducing the plaintext. In other 
words, a composite vector is created by adding a random number 
5 vector consisting of random number components, which have no 
need of transmission of information particularly, to a plaintext 
vector obtained by dividing the plaintext to be encrypted, and the 
ciphertext is created using this composite vector and a publicized 
public-key vector. More specifically, the product-sum operation 

10 result of the components of the composite vector and the components 
of the public vector, or a remainder obtained by dividing the 
product-sum operation result by a modulus, is made the ciphertext. 

In the present invention, since a redundant portion 
(reduced portion) which needs not be encrypted is added, the 

15 density of the ciphertext becomes higher. Moreover, since a very 
large number of composite vectors, i.e., a very large number of 
ciphertext, exist for a single plaintext vector, it is extremely difficult 
to make the low -density attack based on the LLL algorithm. As a 
result, the security is improved. 

20 For example, ciphertext is created using a third vector 

(extended plaintext vector) formed by combining a first vector 
(plaintext vector) obtained by dividing plaintext to be encrypted and 
a second vector (pseudo plaintext vector) consisting of random 
number components which have no need of transmission of 

25 information particularly, and one or a plurality of fourth vector 
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(base vector) whose components are respectively set such that Di = 
d/dior Vi= (d/di)-Vi. More specifically, the ciphertext is created by a 
product-sum operation result of the components of the third vector 
(extended plaintext vector) and the components of the public-key 
5 vector modulo-transformed based on one or a plurality of fourth 
vector (base vector), or by a remainder formed by dividing the 
product-sum operation result by a modulus. 

Moreover, the positions of the components of the plaintext 
vector as a plaintext portion which is intended to be encrypted or 

10 the positions to which the components of the random number vector 
as a redundant portion (reduced portion) are not fixed, and can be 
arbitrarily set by an entity as the sender or an entity as the receiver. 
Accordingly, since the position of the plaintext portion or a position 
to which the redundant portion (reduced portion) is added is not 

15 fixed and is arbitrarily set, such a position is not known by the 
attacker, thereby further improving the security. 

Furthermore, information indicating this set position may be 
transmitted publicly or secretly from an entity who set the position 
to the other entity. In the case where an entity as the sender sets 

20 the position, the information indicating the set position may be sent 
to an entity as the receiver together with the ciphertext by 
including this information in the ciphertext, or sent to the entity as 
the receiver via a course different from the transmission of the 
ciphertext. 

25 More specifically, in the case where the information 
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indicating the set position is sent by including the information in 
the ciphertext, the ciphertext is created using a publicized fifth 
vector (public-key vector) and a fourth vector (extended plaintext 
vector) formed by combining a first vector (plaintext vector) 
5 obtained by dividing plaintext to be encrypted, a second vector 

(pseudo plaintext vector) consisting of random number components 
which have no need of transmission of information particularly and 
a third vector (position indicating vector) indicating the positions of 
the components of the first vector or the second vector. More 

10 specifically the ciphertext is created by a product-sum operation 
result of the components of the fourth vector (extended plaintext 
vector) and the components of the fifth vector (public-key vector) 
modulo-transformed based on one or a plurality of sixth vector (base 
vector), or by a remainder formed by dividing the product- sum 

15 operation result by a modulus. In this case, the positions of the 
components of the third vector are publicized. This positional 
information is included, as the third vector (position indicating 
vector) in the ciphertext and transmitted to the entity as the 
receiver. Since the position of each component of the third vector is 

20 publicized, the entity as the receiver can decrypt the components of 
the third vector, know the positions of the components of the first 
vector (plaintext vector) based on the decryption result, and decrypt 
the ciphertext into the plaintext. 

The above and further objects and features of the invention 

25 will more fully be apparent from the following detailed description 
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with accompanying drawings. 



BRIEF DESCRIPTION OF THE SEVERAL VIEWS 



OF THE DRAWINGS 
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FIG. 1 is a schematic diagram showing a communication 



state of information between two entities; and 



FIG, 2 is an illustration showing the structures of 



embodiments of a recording medium. 



10 



DETAILED DESCRIPTION OF THE INVENTION 



The present invention will be described in detail below with 
reference to the drawings illustrating some embodiments thereof. 

FIG. 1 is a schematic diagram showing a state in which an 
encryption method according to the present invention is used for 

15 information communication between entities a and b. FIG. 1 

shows an example in which one of the entities, a, encrypts plaintext 
x into ciphertext C by an encryptor 1 and transmits the ciphertext C 
to the other entity, b, through a communication channel 3, and the 
entity b decrypts the ciphertext C into the original plaintext x by a 

20 decryptor 2. 

(First Embodiment) 



25 



The secret key and public key are prepared as follows. 
* Secret key: {dj, {dil {vi}> P, w 
■ Public key: { Ci } 

Let e > e\ the normal bases di and reduced bases di' are 



defined as the bases satisfying (l) and (2), respectively. 

d ! =2 e + <5 ; (1 « 6 ; «: 2 e ) • • • (1) 
d;'=2 e +<Ji' (1«(5f«2 e ') ••• (2) 

5 (k+n) bases consisting of mutually prime numbers are 

determined. Here, among them, k bases corresponding toi G I 
are normal bases, and n bases corresponding to i S I' are reduced 
bases. Here, each of I and I' is an index-set, I = {l, 2, k}, I' = 
{k+1, k+2, k+n}, and I" = I U T. Note that, in the first and second 
10 embodiments, unless otherwise specified, i e I". Next, a 
base-product Di is calculated according to (3) below. 



15 



D i = i 



d ] •••d k d k ' +1 -d k ' +n ^ ^ 
d i 

d i 



(3) 



Moreover, (k+n) random numbers Wd (where gcd(di, Vi) = l) 
are generated, and a transformed base-product Vi is calculated by 
(4) below. 

Vi=DiVi ...(4) 

20 The entity a divides the plaintext x, which is to be encrypted 

and transmitted to the entity b, into k parts so as to obtain a 
plaintext vector g = (gi, g2, gk) whose components are respectively 
e bits. Further, a pseudo plaintext vector g' = (gk+i, gk+2, gk+n) 
whose components are respectively e-bit random numbers, which 

25 needs not to be particularly transmitted to the entity b, is obtained. 
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For example, this pseudo plaintext vector g' can be obtained by 
dividing plaintext (redundant text) which need not to be 
particularly transmitted to the entity b into n parts. By coupling 
these plaintext vector g and pseudo vector g , an extended plaintext 
vector g" = (gi", g2", gk+n ? ) having (k+n) components is obtained. 
Here, the components of this extended plaintext vector g" are 
respectively defined as shown in (5) below. 

'g; (iGI) 



s ; = 1 



10 With the use of the extended plaintext vector g" and the 

transformed base-product Vi, the product-sum plaintext M is 
defined as shown in (6) below. 

M = gi"Vl+g 2 "V 2 +.. .+gk + n"Vk + n (6) 

For any extended plaintext vector g", a prime number P 
15 satisfying M < P is generated and used as a modulus. A random 
number w smaller than the prime number P is determined, and a 
public-key vector c as shown in (8) below is obtained according to (7) 
below and publicized. 

Ci = wVi modP ...(7) 
20 vector c = (ci, C2, Ck+n) •■■ (8) 

The entity a calculates the inner-product of the extended 
plaintext vector g" and the public-key vector c as shown in (9) below 
to obtain the ciphertext C. The created ciphertext C is transmitted 
from the entity a to the entity b through the communication 
25 channel 3. 
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C = gl"ci+g2"+C2+...+gk4-n ? C k+ n (9) 

The entity b performs the decryption process as follows. 
From the ciphertext C, the product-sum plaintext M can be 
computed as shown in (10) below. 
5 M = w x C modP ...(10) 

In the extended plaintext vector g", for the indexes 
corresponding to the normal bases, i.e., i ^ I, (ll) shown below is 
established, thereby enabling decryption of the plaintext vector g. 
g^MVi 1 moddi ...(11) 
10 Besides, for the indexes corresponding to the reduced bases, 

i.e., i ^ I\ decryption is not necessary. Further, even when an 
attempt to perform decryption according to (12) below is made in 
the same manner as in (ll) above, since there is a relationship 
shown in (13) below in the number of bits due to the effect of 
15 reduction, the pseudo plaintext vector g' can not be accurately 
decrypted. 

gr-MVi 1 moddi' ...(12) 
gi'>di J >dr ... (13) 

Note that, while. gcd(Vi, di) = 1 in the above example, it is 
20 also possible to make gcd(Vi, di) = Ai. In this case, the processes 
are performed in the same manner by letting Vi ? = WAi, di = di/Ai, 
and gcdCW, di') = 1. Furthermore, in the above example, while 
random numbers (Vi) are added to the base-product Di, the 
base-product Di shown in (3) above may be used as it is without 
25 adding such random numbers. 
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(Second Embodiment) 

The secret key and public key are prepared as follows. 
• Secret key: W p >'}, {di«»'}, 

{ Vi (p)} ; ( Vi (Q)}, P, Q, N, w 

5 • Public key: { Ci } 

Note that, N may be publicized. 

Let P and Q be prime numbers satisfying the conditions 
described later. Let e > e\ the normal bases di (p) , di^ and the 
reduced bases di (p) ', di ( ^' are defined as the bases satisfying (14) and 

10 (15), respectively. 

d ; ,P| d | (Q) =2 6 + <5 ; (l«d;«2 e ) •■■ (14) 

d ; (p| 'd ; (Q>' = 2 e '+ 6{ (l««5 i '«2 e ') ••• 05) 

For the modulus P and modulus Q, like the first embodiment, 
15 two sets of bases {di< p >}, {di®'} and {dM, {&«»*} (where, when i + j, 
gcd(di (p) dj (p) ) = 1 and gcdCdi^dj^) = l) are generated. Here, (16) 
and (17) shown below are satisfied for any i <= I". 
gcd(di( p >, di<Q>) = 1 ... (16) 
gcd(di< p >', diW»0 =1 ... (17) 
20 Next, for the modulus P and modulus Q, like the first 

embodiment, two sets of random numbers {vi< p) } and {vi«S>} (where 
gcd(di (p) , Vi (p) ) = 1, gcd(di ( ^, Vi ( Q>) = l) are generated, and {Vi (p) } and 
{Vi ( Q>} are given by calculations similar to (3) and (4) shown above. 
For the extended plaintext vector g" constructed in the 
25 exactly same manner as in the first embodiment, the product-sum 



13 

plaintext Mp and the product-sum plaintext Mq in modulo P and 
modulo Q are defined as (18) and (19), respectively. 

M P = gl"Vl (P) +g2"V 2 (P) +...+gk + n"V k+ n (P) (18) 
Mq = gi' , Vl^+g 2 "V2 ( Q ) +...+gk + n"Vk + n ( ^ ... (19) 

5 Furthermore, the prime numbers P and Q are generated to 

satisfy the conditions Mp < P and Mq < P for any extended plaintext 
vector g", and the product of them are defined as N. A minimum 
Vi (N) (< N) which causes the remainders by P and Q to be Vi (p) and 
Vi ( Q>, respectively, is calculated using the Chinese Remainder 
10 Theorem, and defined as the transformed base-product. 

With the use of the extended plaintext vector g" and the 
transformed base-product Vi (N) , the product-sum plaintext M is 
defined as shown in (20) below. Here, it is not necessary to satisfy 
M<N. 

15 M = gl"Vl (N) + g 2 "V 2 (N) +...+gk + n"Vk + n (N) ... (20) 

A random number w smaller than N is determined, and the 
public-key vector c as shown in (22) below is obtained according to 
(21) below and publicized. 

Ci = wVi modN ...(21) 
20 vector c = (ci, C2, ck+n) ... (22) 

The entity a calculates the inner-product of the extended 
plaintext vector g" and the public-key vector c as shown in (23) 
below to obtain the ciphertext C. The created ciphertext C is 
transmitted from the entity a to the entity b through the 
25 communication channel 3. Besides, in the case where N is 
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publicized, the remainder formed by dividing the C shown in (23) 
below by N is made the ciphertext. 

C = gl"Cl+g2"+C2+...+gk+n"Ck+n - (23) 

The entity b performs the decryption process as follows. 
The product- sum plaintext M satisfies (24) below. Therefore, 
the product-sum plaintext Mp and Mcjin modulo P and modulo Q 
can be computed as shown in (25) and (26) below. 

M = w^CGnodN) ...(24) 
Mp = M modP -(25) 
Mq = M modQ .-(26) 
In the extended plaintext vector g", for the indexes 
corresponding to the normal bases, i.e., i ^ I, since 2 e < di^di^, 
(gi (p) , gi (Q) ) are calculated by (27) and (28) below, and (29) shown 
below is established using the Chinese Remainder Theorem, 
thereby enabling decryption of the plaintext vector g. 

g ; (P1 = MpV; (P1_1 (mod d ; 1P) ) • • • (27) 
g; (Q1 ^ M Q V; (Q,_1 (mod d ; lQ1 ) • • • (2 8) 

= fg ; (P1 (mod d ; (P1 ) 
§i "|g; (Q1 (mod d; (Q ») (29) 

Besides, for the indexes corresponding to the reduced bases, 
i.e., i e r, like the first embodiment, decryption is not necessary 
and the pseudo plaintext vector g' can not be accurately decrypted. 

Note that, in the above example, while the random numbers 
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{vi (p >}> {vi<Q>} are added to two sets of bases {di (p) }, {di ( Q>}, a 
base-product obtained without adding such random numbers may 
be used. 

Next, the following description will explain that a high 
5 density exceeding 1 is realized by the schemes as described in the 
first and second embodiments so as to have a strong resistance to 
the low -density attack based on the LLL algorithm. For a general 
product-sum type cryptosystem that is not reduced, the ciphertext 
density a, the scheme density p, and the rate r\ are respectively 
10 defined as shown in (30), (31), and (32) below. Note that C is the 
number of bits of the ciphertext, Cmax is the possible maximum 
number of bits of the ciphertext, k is the number into which the 
plaintext is divided, and e is the number of bits of the divided 
plaintext. 
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k 

X I 0 g 2 8 



i = 1 



o g 2 C 



(30) 



1 0 8 2 ^max 

V= lr ke , (32) 
20 i C max I 

Further, for a product-sum type cryptosystem that is reduced 

like the first and second embodiments, the ciphertext density cf and 

the scheme density p' are respectively defined as shown in (33) and 

(34) below. Note that the rate is the same as (32) above. 

25 
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15 



20 



k+n 

Y_ I 0 g 2 8 

i = 1 

cr = 



I o g 2 C 



(33) 



p = (k + n) e • (34) 
I o g 2 Cmax 

5 The density in the first embodiment will be considered. Let 

the random number Vi be s bits. In order to make the density as 
large as possible, when the possible maximum product-sum 
plaintext is denoted as M m ax, the bit-size of the modulus P should be 
set such that i P I = I Mmax I . In this case, the scheme density pi 
10 and the rate r\i according to the first embodiment satisfy the 
conditions of (35) and (36), respectively. 

= (k + n) e 

Pl e + l og 2 P + l og 2 (k + n) 



> 



(k + n) e 



(k + 2) e + (n-1) e' + s +2 I o g 2 (k + n) +1 

• • • (35) 



> 



ke 



e + log 2 P + log 2 (k + n) 

ke 



(k + 2)e+ (n-1) e' + s +21 og 2 (k + n) +1 

• • • (36) 



In order to avoid attacks for finding the secret key from the 
public key (Kiyoko Katayanagi, Yasuyuki Murakami, Masao 
Kasahara-' "Study on the product-sum type cryptosystem", reference 
25 material in The 1999 Symposium on Cryptography and Information 
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Security, disclosed in B43 Jan. 2000), the bit-size of the random 
number Vi needs to be 1/4 or more of the bit-size of the modulus P. 
In order to satisfy this condition, when calculation is performed by 
supposing that the bit-size of the random number Vi is s = 
(l/4)log2P+l, the scheme density pi and the rate t^i satisfy the 
conditions of (37) and (38), respectively. 

3 (k + n) e 

Pl (4k+7) e+4 (n-1) e'+7log 2 (k + n) +7 

• • • (37) 

3_ke 

77 1 > (4k+7) e+4 (n-1) e' +7 I og 2 (k + n) +7 

• • • (38) 



In this condition, since the random number vi is extremely 
large, if the condition e' < e/2 or k < n is met, a parameter satisfying 

15 pi> 1 exists. 

The density in the second embodiment will be considered. 
Let the product of the random numbers Vi (p) and vi^, i.e., Vi (p Vi ( ®, be 
s bits. When a modulus N is not publicized, in order to make the 
density as large as possible, if the possible maximum product-sum 

20 plaintext is denoted by Mpmax and Mqmax, then the bit-size should be 
set such that | P | = | Mp ma x I , I Q i = I MQmax I - In this case, the 
scheme density p2 and the rate r\2 according to the second 
embodiment satisfy the conditions of (39) and (40), respectively. 



25 
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= (k + n) e 

Pz e + I og 2 N + l og 2 (k + n) 



(k + n) 



e 



(k+3) e + (n-1) e'+s +31 og 2 (k + n) +1 

■ • * (39) 



ke 

v 2 = 



> 



e + I og 2 N + l og 2 (k + n) 

Ke 



(k + 3)e+ (n-l)e' + s+3! og 2 (k + n) +1 

• • • (40) 



10 In the second embodiment, since multiplexing is employed, it 

is not necessary to make the random numbers very large. 
Therefore, even when the conditions are e J = e/2 and k = n, it is 
possible to readily achieve the scheme density p2 > 1 and the rate r\2 
> 1/2. For example, in the above conditions, when the divided 

15 number is k = 8 and each of the bases di (p) , di^ and the random 
numbers Vi (p) , Vi ( Q>is 32 bits, p2= 1.0174, r\2= 0.5087, and thus the 
above conditions (p2 > 1, y\2> 1/2) are realized with such small 
parameters. However, there is a security problem with small 
parameters, and therefore it is practical to use parameters of, for 

20 example, around k = 100, e = 64, and e J = 32. 

Moreover, when the modulus N is publicized and the 
remainder of dividing C by N is made the ciphertext, the scheme 
density p2 and the rate r]2 according to the second embodiment 
respectively satisfy the conditions of (41) and (42) below. 

25 
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P 2 = 
> 



(k + n) e 
I og 2 N 

(k + n) e 



(k+2) e + (n-1) e'+s +21 og 2 (k + n) +1 

(41) 



r? 2 = 
> 



ke 



i og 2 N 

ke 



(k + 2)e+ (n-1) e' + s +2! og 2 (k + n) +1 

(42) 



10 As described above, when the modulus N is publicized, both 

of the scheme density p2and the rate r^are improved as compared 
with those when the modulus N is not publicized. 

By the way it is possible to set the random number 
components in the pseudo plaintext vector g completely 

15 independently of the plaintext vector g. Therefore, the random 
number components of the pseudo plaintext vector g' can be set so 
that the scheme density of the created ciphertext C becomes higher. 
Moreover, there is an effective technique in which, after creating the 
ciphertext C by setting a certain random number sequence as the 

20 pseudo plaintext vector g\ the scheme density of the ciphertext C is 
calculated and, when the calculated value does not exceed 1, the 
ciphertext C is recreated by setting a different random number 
sequence for the pseudo plaintext vector g', or, when the scheme 
density exceeds 1, the ciphertext C is transmitted to the entity as 

25 the receiver. 
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In the schemes of the above "described first and second 
embodiments, the positions (reduced positions) of the random 
numbers of the pseudo plaintext vector, which need not to be 
particularly encrypted and transmitted to the entity b, in the 
5 extended plaintext vector are fixedly set by the entity b as the 
receiver, and information indicating the positions is publicized. 

On the other hand, if the positions (reduced positions) of 
such random number components or positions (normal positions) of 
the components o£the plaintext vector to be encrypted can be 

10 arbitrarily set, a further improvement in security can be expected. 
The third embodiment given below explains the case where such 
reduced positions or normal positions are arbitrarily set by the 
entity a as the sender and the ciphertext including therein the 
information indicating the positions is transmitted to the entity b. 

15 (Third Embodiment) 

First, some- definitions used for explaining the third 
embodiment will he described. In the third embodiment, the 
plaintext to be encrypted is also divided into some divided plaintext. 
Each divided plaintext is treated as a message vector m. The 

20 message vector m is extended into a vector m' by 

extension-transformation to be defined below. This vector m' is 
referred to as the "extension message vector". The sum of the 
bit-size of the components of these vector m and vector m ? is e (bits) 
and e ? (bits), respectively (where e ^ e'). Moreover, let the possible 

25 maximum bit number of the ciphertext be C max . 



21 

<Definition 1 (Density)> 

The scheme density p is defined as shown in (43) below. 

P '°s 2 C ma x (43) 

5 Definition 2 (Rate)> 

The rate n is defined as shown in (44) below. 

7?= — i _ . . . (44) 

i u max I 

Let the vector a = (ai 5 a2, a w ) be a wdimensional vector 
10 and the vector c = (ci, C2, cj be an ir dimensional vector. 

Moreover, let the vector b = (bi, b2, bn) be an n- dimensional 
binary vector of weight w. Here, the conditions shown in (45) 
below are satisfied. 



15 b M = b '2 = = b iw = 1 



1 < i 2 < - < i w 



(45) 



<Definition 3 (Index'Set)> 

The index-set I = Ind(vector b) is defined as shown in (46) 

below. 

20 I = {(ii, i 2 , i w )} ... (46) 

<Definition 4 (Vector Expression)> 

The index-set I is a subset of {l, 2, n}, and the vector d : 

Vec(I, n) is defined as a vector expression as shown in (47) below. 

Here, the vector d = (di, d 2 , dn), and, for example, when I = 
25 Ind(vector b), vector b = Vec(I, n). 
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d , = i 1 (i £ D • • • (47) 
' 0 (iSI) 



<Definition 5 (Extension)> 

The n-dimensional vector c extended from the vector a by the 
vector b is expressed as vector c = vector a{vector b}, and defined as 
shown in (48) below. For example, if vector a = (ai, as, as) and 
vector b = (l, 0, 1, 1), then vector a{vector b} = (ai, 0, a2, aa). 



• • • (4 8) 

c |< = 0 (in case of bj < =0) 

(] = 1, 2. - . w , k = 1. 2. - . n) 

<Definition 6 (Extraction)> 

The w-dimensional vector a extracted from the vector c by 
the vector b is expressed as vector a = vector c{vector b}, and defined 
15 as shown in (49) below. For example, if vector c = (ci, c 2 , cs, C4> and 
vector b = (1, 0, 1, l), then the first, third and fourth components 
are extracted, so that vector c{vector b} = (ci, C3, C4>. 

T - (c,, . c i2 .-. o iw ) •■• (49) 

20 Next, a specific scheme of the third embodiment will be 

explained. 

<Dividing Plaintext> 

The plaintext x is divided into a plurality of ek-bit blocks. 
Each block is expressed by the message vector m as shown in (50) 
25 below. Note that mi (i = 1, 2, k) are e-bit integers. 
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vector m =(mi, 1112, nik) ... (50) 

<Extension Transformation> 

Let the message vector m be a k-dimensional vector whose 
components are e-bit integers and the random number vector r be 
5 an n-dimensional vector whose components are e'-bit integers. 

Here, e < e\ Moreover, let a vector s be a (k+n) -dimensional binary 
vector of weight k. This vector s will be referred to as the "position 
indicator". 

Set h as shown in (51) below and let a vector s' be an 
10 arbitrary (he- (k+n)) -bit binary padding vector. An he-dimensional 
binary concatenate vector [vector s | vector s J ] can be divided into 
h~dimensional vectors t whose components are e*bit integers as 
shown in (52) below. 

h - ftk + n) /el ■ • - (5 1) 

15 _^ 

t = (t! . t 2 . ~ . t h ) • • • (52) 

Let K = k+n+h, and the index-sets In, Ir and II are 

respectively defined as shown in (53), (54) and (55) below. Here, a 

vector s bar represents a bit complement of the vector s. 

20 — - 

In = I n d ( s ) • • • (53) 

I r = I n d ( IT ) • • • (5 4) 

II ={k + n + 1. k + n + 2. - . K} •■• (55) 

Note that while the components of the index-set II are the 
25 last h components in the above example, the location of these 
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components may be decided arbitrarily. In this case, the conditions 
of (56) and (57) below are satisfied, and the vector m' and vector s 
are respectively expressed as shown in (58) and (59) below. 

InU IrU Il = {1. 2, - . K} • ■ • (56) 
InH Ir = IrH I L = IlH i n = * • ■ • (57) 

"m' = "m{Vec (I N .K)} + 

T{Vec (I R ,K)}+T{Vec (I L ,K)} • • • (58) 



10 T = Vec (I N .K) [Vec (I L .K) ] * • ■ (59) 

The message vector m is transformed into the extension 
message vector m' = (mi', m.2, mt') as shown in (60) below. In 
this case, each component of this vector m' has a size shown in (61) 
below. 

15 7rf= [ m" {~s} +7 {Tl IT] • • • (60) 

, fe (iGInUIl) 
• 1 L e (i e Ir) 

<Key Generation> 

The secret key and public key are prepared as follows. 
20 • Secret key: {di®}, {dM, {v^}, Wm, P, 

Q, N, w (where i = 1, 2, K) 
• Public-key vector c =(ci, C2, ...,ck), II, e, e' 
Note that, the N may be publicized. 

First, for any i and j (where I j), two sets of bases {di (p) }, 
25 {di ( Q>} satisfying the conditions shown in (62) to (65) below are 



25 



generated. 

gcd(d i lP1 .d J (P1 )= 1 • - • (62) 

gcd(d; lQ, ,dj lQ, )= 1 • ■ • (63) 

gcd(di lP, .d; lQ1 )= 1 • • • (64) 

d .(PI d ,IQ) =2 e + 6 ; (1«<5;«2 e ) ••• (65) 

Let vi (p) , Vi ( Q> be randomly selected integers, and Vi (p) , Vi ( Q> are 
calculated as shown in (66) and (67) below. Here, Vi (p) and Vi ( Q> 
satisfy the conditions shown in (68) and (69) below. 



Vi , P) = d ^ 2 "-d k " V;W ... (66) 



dl (P} d 2 tP) --- d k tP ] 
10 Vi> '" di (P1 

j (G8 j (Q) . . . j , KM , n . 
1Q) = d 1 d 2 d k v;1 Q) ... (67) 

d; (Q1 

gcd(d; ,P) . V; (P1 ) = 1 • • ' (68) 
gcd(di [Q1 .v; (Q, )= 1 • • ' (69) 
15 Next, for any extension message vector m', large prime 

numbers P and Q satisfying the conditions Mp < P, Mq < Q are set. 

Note that Mp and Mq are respectively defined as shown in (70) and 

(71) below. 

Mp = m \ V 1 (p » + m' 2 V 2 1P ' + »-+m' K V K 1P) • ■ • (70) 
20 Mq = m ' } V W + m ' 2 V 2 !Q > + - + m' K V K (Q) ' ' • (7D 

Then, set N = PQ, and calculate Vi (0 ^ Vi< N) by (72) 
shown below according to the Chinese Remainder Theorem. 



V ; = i 
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V; tP) (mod P) 
V; (Q1 (mod Q) 
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Each component of the public-key vector c is computed by 
(73) shown below. Here, w is a random number arbitrarily selected 
from Z n *. 

Ci = wVi modN ... (73) 

5 <Encryption> 

The entity a (sender) arbitrarily generates the vector s as the 
above-described position indicator. In other words, the entity a as 
the sender arbitrarily selects an index-set In that indicates the 
location related to,the,message vector m. Next, the entity a 

10 (sender) generates an n;dimensional vector r whose components are 
arbitrarily selected e'-bit integers. A high density is realized by 
this random number vector r. In other words, by adding the 
random number vector r as a redundant portion (reduced portion), 
the density becomes higher as to be described later. 

15 The entity .a,, (sender) transforms the message vector m into 

the extension message vector m' by the vector s and vector r. Then, 
the inner-product , of , this extension message vector m J and the 
public-key vector c is calculated as shown in (74) below to obtain the 
ciphertext C. The created ciphertext C is transmitted from the 

20 entity a to the entity b through the communication channel 3. 

C = m' • c 

= m'j c,+ m' 2 c 2 + ••• + m' K c K (7 4) 

In this encryption, the message vector m obtained by 
dividing the plaintext to be encrypted is transmitted at the 
25 positions indicated.by the index-set In, and the information about 
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the index-set In is transmitted by the vector s at the positions 

indicated by the index-set II. 

<Decryption> 

The entity b (receiver) performs the decryption process as 
5 follows. 

The intermediate massage M satisfies (75) shown below. 
Therefore, the intermediate messages Mp, Mq in modulo P and 
modulo Q can be computed as shown in (76) and (77) below. 
M s, w iC(modN) ... (75) 

10 Mp=-M mod P ...(76) 

Mq='M mod Q ...(77) 
Then, (mi (p >, m/^) are obtained by (78) and (79) below, and 
(80) shown below is established by applying the Chinese Remainder 
Theorem, thereby enabling decryption of the message vector m" = 
15 (mi , m2 , mk A 

-1 



20 



m 



ip) h M P V; lPl (mod d; lP1 ) • • • (78) 



m; (Q) H M Q V; lQ1_1 (mod d ; 1QI ) • • - (79) 

• • (80) 



m ; s i 



1P) (mod d: (P) ) 



101 (mod d; (Q1 ) 



m 
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Since e' > e, from (61) above, each component of the 
decrypted message vector m" satisfies the conditions shown in (81) 
below. 

m ;" = m ;' ( i €E I N U Ij_ ) 

i . /- t \ ••■(81) 

m ] ^ m j ( i E Ir ) 
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According to the index-set II, the vector t is extracted from 
the decrypted vector m" as shown in (82) below. 

T = ~m' [Vec (I L .K)] • • • (82) 

5 By regarding the vector t as the he-dimensional binary 

vector [vector s | vector s'], the entity b (receiver) can rebuilt the 
(k+n)- dimensional binary vector s of weight k. It is therefore 
possible to finally obtain the message vector m as shown in (83) 
below. 

10 _ _ 

m = m" [ s ] • * - (8 3) 

Note that, in a general case where the components of the 
index- set II are arbitrarily selected, by substituting the vector m" in 
(83) above with one shown in (84) below, the message vector m is 
15 obtained. 

TrT" [Vec (I L .K)J (84) 
Next, the security of the encryption scheme of the third 
embodiment as described above will be explained. It has been 
20 known that the low-density attack using the LLL algorithm is a 
very effective attack method with respect to the product-sum type 
public-key cryptosystems when the density is small. For example, 
it has also been known that the knapsack cryptosystem which is a 
typical one of the product-sum type cryptosystems is broken by the 
25 low-density attack when the density is smaller than 0.9408. In the 
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encryption scheme of the above-described third embodiment, a high 
density exceeding 1 is realized, which means that this scheme is 
safe from the low-density attack. 

If each of the random numbers vi (p) , Vi ( Q> is an f-bit number, 
the density p in the above-described encryption scheme of the third 
embodiment satisfies the condition shown in (85) below. Here, K = 
k+n+h, and e' > e. 

(k + h) e + ne 

P > 



e'+log 2 N + iog 2 n 

> 



10 ^ Ke + n (e -e) ... (Q5) 

Ke + (3e-e) + f + 1+3 I o g 2 n 

For example, when f = e and e' = 2e are set for simplicity, 
since n satisfies the condition shown in (86) below, p > 1 is realized. 
As a practical example, when e = 32, it will be understood that p > 1 
15 can be realized by making n = 7 for all k. 

(n-6) e>3log 2 n+l • • ' (86) 

Moreover, in the encryption scheme of the third embodiment, 
a high rate can also be realized. The rate r| in the above-described 
20 encryption scheme of the present invention satisfies the condition 
shown in (87) below. 

ke 



> 



[e'+ I o g 2 N + I o g 2 nl 



Jl? • - ■ (87) 



Ke+ (3e-e) +f + l+3l og 2 n 
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Here, when f = e and e' = 2e are set for simplicity, since n and 
k satisfy the condition shown in (88) below, r] > 0.5 is realized. As a 
practical example, when e = 32, it will be understood that r\ > 0.5 
can be realized by making n = 7 and k > 14. For instance, if k = 57, 
then r\ ^ 0.7884. Thus, from the viewpoint of the rate, the 
scheme of the third embodiment is efficient. 



k-n- 



k + n* 



■6 e>3 I o g 2 n + 1 • • • (88) 



Since the encryption scheme of the third embodiment can 

10 realize a high density, it is sufficiently safe from the low-density 
attack. Moreover, the entity as the sender can freely decide the 
positions of reduced bases. Therefore, even if the attacker tries to 
make an effective attack on the encryption scheme of the third 
embodiment based on the reduced bases whose positions are known, 

15 it is difficult for the attacker to identify the positions of the reduced 
bases. Accordingly, the characteristic feature of the third 
embodiment that the positions of the reduced bases are not fixed 
and can be arbitrarily decided by the sender means that this 
scheme is also safe from attacks which are effective when the 

20 positions of the reduced bases are known. 

The following description will explain other examples of the 
third embodiment. In the above-described example, while the 
location of II is fixed (the last end) in every block, the location of 
this II may be different between the respective blocks. As such an 

25 example, the following are given. 
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(First Example) 

For the first block, the location of his fixed (for example, at 
the last end like the above-mentioned example), and this II is 
publicized. Then, for the second block and following blocks, the 
5 location of II in each block is decided by the message vector of a 
block that comes one block before. Therefore, the location of II 
varies from the second block. Accordingly, even when the entity as 
the sender arbitrarily decides the positions of the reduced bases, 
since the hin the first block is publicized and the location of II in 

10 the second block and the following blocks is known from the 

message vectors of the previous blocks, the entity as the receiver 
can decrypt the ciphertext into the plaintext like the 
above-mentioned example. In this first example, since the location 
of II is varied in each block, it is possible to achieve an improvement 

15 in the security. 

(Second Example) 

For the first block, the position of his fixed (for example, at 
the last end like the above-mentioned example), and this II is 
publicized. Then, for the second block and the following blocks, the 

20 term of his not provided, and the h-dimensional vector to be 
allocated to the term of h is allocated to a message obtained by 
dividing the plaintext. Then, for the second block and the 
following blocks, the positional information indicating the positions 
of the reduced bases of each block is decided from the message of a 

25 block that comes one block before. Therefore, h does not exist in 
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the second block and the following blocks. Accordingly, even when 
the entity as the sender arbitrarily decides the positions of the 
reduced bases, since the iLin the first block is publicized and the 
positions of the reduced bases in the second block and the following 
5 blocks are known from the message vectors of the previous blocks, 
the entity as the receiver can decrypt the ciphertext into the 
plaintext like the above-mentioned example. Moreover, in the 
second block and the following blocks, since portions to be allocated 
to the message is increased from k terms to (k+h) terms, the volume 

10 of message that can be included in a single block is increased, 
thereby enabling a further increase in the rate. 

Note that, in the above example, while the information 
(index-set II) indicating the positions (index-set In) of the 
components of the message vector m obtained by dividing the 

15 plaintext to be encrypted is transmitted, it is certainly possible to 
transmit information indicating the positions (index-set Ir) of the 
components of the random number vector r to be added. 

Moreover, in the above example, while the random numbers 
{vi (p) }, {vi ( Q>} are added to two sets of bases {di (p) }, {di^}, it is also 

20 possible to use a base-product obtained without adding such random 
numbers. 

Furthermore, in the above example, as shown in (74), the 
inner-product value (product-sum operation result) of the extension 
message vector m' and the public-key vector c is made the ciphertext 
25 C as it is, but one obtained by transformation of the inner-product 
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value (product- sum operation result) modulo N, i.e., the remainder 
formed by dividing C in the above-mentioned (74) by N, may be 
made the ciphertext. 

C = (mi , ci+m2C2+...+mk Ck) mod N ... (89) 
5 In the case where the ciphertext is expressed as shown in 

(74), the ground of security is based on the difficulty of specifying a 
real solution among a plurality of solutions of the linear 
Diophantine indefinite equation for finding unknown numbers xi, 
X2, x n when ai, &2, a n and C are known integers in the equation 

10 shown in (90) below. On the other hand, in the case where the 
ciphertext is expressed as shown in (89), since the product- sum 
operation is performed and the product-sum value is transformed 
modulo N, the ground of security is based on the difficulty in the 
prime factorization of N. In this case, since N is publicized, the 

15 quantity of the information provided to the attacker is increased, 
but the attacker can only know the remainder of the product-sum 
operation result rather than the result of the product-sum operation, 
and therefore the difficulty of solving the linear Diophantine 
equation is enhanced. 

20 C = aixi+a2X2-K..+a n x n (90) 

(Fourth Embodiment) 

Note that, in the third embodiment, while the information 
indicating the positions of the components of the message vector or 
the components of the random number vector in the extension 

25 message vector which are arbitrarily set by the entity as the sender 
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is included in the ciphertext, it is also possible to send the 
information indicating such positions from an entity as the sender 
to an entity as the receiver, independently of the transmission of the 
ciphertext. 
5 (Fifth Embodiment) 

Note that, in the third and fourth embodiments, while the 
positions of the components of the message vector or the 
components of the random number vector in the extension message 
vector are arbitrarily set by an entity as the sender, it is also 

10 possible to arbitrarily set such positions by an entity as the receiver. 
(Sixth Embodiment) 

Moreover, in the third to fifth embodiments, while the 
multiplexed schemes in which two sets ({di (p) }, {di ( Q>}) of the set of 
bases {di} consisting of k elements are generated are explained, it is 

15 certainly possible to similarly apply these third to fifth 

embodiments to a scheme in which one set of bases {di} is used like 
the above-described first embodiment. 

FIG. 2 is an illustration showing the structures of 
embodiments of a memory product of the present invention. The 

20 programs illustrated as examples here include a process of 

obtaining the extended plaintext vector g" or the extension message 
vector m' according to the procedure of the above-described 
encryption scheme and a process of creating the ciphertext C by 
calculating the inner-product of the obtained extended plaintext 

25 vector g" or extension message vector m' and the public-key vector c, 
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and are recorded on the memory product explained below. Note 
that a computer 10 is provided for the entity as the sender. 

In FIG. 2, a memory product 11 to be on-line connected to the 
computer 10 is implemented using a server computer, for example, 
5 WWW (World Wide Web), located in a place distant from the 
installation location of the computer 10, and a program 11a as 
mentioned above is recorded on the memory product 11. The 
program 11a read from the memory product 11 via a transmission 
medium 14 such as a communication line controls the computer 10 

10 to create the ciphertext; C. 

A memory product 12 provided inside the computer 10 is 
implemented using, for example, a hard disk drive or a ROM to be 
installed in the computer 10, and a program 12a as mentioned 
above is recorded on the memory product 12. The program 12a 

15 read from the memory product 12 controls the computer 10 to create 
the ciphertext C. 

A memory product 13 used by being loaded into a disk drive 
10a installed in the computer 10 is implemented using, for example, 
a removable magneto-optical disk, CD-ROM, flexible disk or the like, 

20 and a program 13a as mentioned above is recorded on the memory 
product 13. The program 13a read from the memory product 13 
controls the computer 10 to create the ciphertext C. 

In the present invention, as described above, since the 
ciphertext is obtained using a publicized public vector and a 

25 composite vector produced by adding a random number vector 
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whose components are a plurality of arbitrarily selected random 
numbers to a plaintext vector obtained by dividing the plaintext to 
be encrypted, a redundant portion (reduced portion) consisting of 
random numbers which need not to be encrypted is added, thereby 
5 increasing the density of the ciphertext, enhancing the 
invulnerability to the low-density attack based on the LLL 
algorithm and improving the security. Moreover, since the 
positions of the components of the plaintext vector or random 
number vector in the composite vector can be arbitrarily set by an 

10 entity as the sender or an entity as the receiver, it is difficult for the 
attacker to find the positions, thereby enabling a further 
improvement in the security. As a result, the present invention 
can greatly contribute to opening the door to practical applications 
of product-sum type cryptosystems. 

15 As this invention may be embodied in several forms without 

departing from the spirit of essential characteristics thereof, the 
present embodiments are therefore illustrative and not restrictive, 
since the scope of the invention is defined by the appended claims 
rather than by the description preceding them, and all changes that 

20 fall within metes and bounds of the claims, or equivalence of such 
metes and bounds thereof are therefore intended to be embraced by 
the claims. 



